Typechecking a Multithreaded Functional Language with Session Types ? Vasco T. Vasconcelos Departamento de Inform´atica, Faculdade de Ciˆencias,Universidade de Lisboa, 1749-016 Lisboa, Portugal Simon J. Gay Department of Computing Science, University of Glasgow, Glasgow G12 8QQ, UK Ant´onio Ravara CLC and Departamento de Matem´atica, Instituto Superior T´ecnico, 1049-001 Lisboa, Portugal Abstract We define a language whose type system, incorporating session types, allows com- plex protocols to be specified by types and verified by static typechecking. A ses- sion type, associated with a communication channel, specifies the state transitions of a protocol and also the data types of messages associated with transitions; thus typechecking can verify both correctness of individual messages and correctness of sequences of transitions. Previously, session types have mainly been studied in the context of the π-calculus; instead, our formulation is based on a multi-threaded func- tional language with side-effecting input/output operations. Our typing judgements statically describe dynamic changes in the types of channels, and our function types not only specify argument and result types but also describe changes in channels. We formalize the syntax, semantics and type checking system of our language, and prove subject reduction and runtime type safety theorems. Key words: Session types, static typechecking, concurrent programming, specification of communication protocols. ? A revised and extended version of the paper in CONCUR 2004, volume 3170 of LNCS, pages 497–511, Springer-Verlag, 2004. Email addresses: [email protected] (Vasco T. Vasconcelos), [email protected] (Simon J. Gay), [email protected] (Ant´onio Ravara). Preprint submitted to Theoretical Computer Science 28 June 2006 1 Introduction Communication in distributed systems is typically structured around protocols which specify the sequence and form of messages passing over communication channels. Correctness of such systems implies that protocols are obeyed. Systems programming is traditionally performed in the C programming lan- guage. It thus comes as no surprise that many attempts to statically check pro- tocols are based on this language: safe control of stateful resources is achieved via type systems that either run on annotated C programs [8, 13], or on pro- grams written in a type-safe variant of C [18, 19]. Another approach to proving properties of protocols or their correct implementation comes from the general setting of the π-calculus [26, 32], and includes type and effect systems to check correspondence assertions [2, 3, 17], the approximation of the behaviour of π- processes by CCS terms [6, 23, 30], and session types to describe structured communication programming [14, 15, 20, 21, 33, 40]. Session types allow the specification of a protocol to be expressed as a type; when a communication channel is created, a session type is associated with it. Such a type specifies not only the data types of individual messages, but also the state transitions of the protocol and hence the allowable sequences of messages. By extending the standard methodology of static typechecking for conventional languages, it becomes possible to verify, at compile-time, that an agent using the channel does so in accordance with the protocol. Further prop- erties, like authentication or data integrity and correct propagation, may be statically checked by combining session types with correspondence assertions. The theory of session types has been developed in the context of the π-calculus, but until now, has not been studied theoretically in the context of a standard language paradigm, despite a few contributions which bridge session types and conventional languages. Session types have been used to add behavioural information to the interfaces of CORBA objects [34, 35] using Gay and Hole’s theory of subtyping [14, 15] to formalise compatibility and substitutability of components. Session types have also been encoded in the Haskell programming language [27]. The former does not link the improved CORBA interfaces to ac- tual programming languages; the latter does not address the correspondence between a session-based programming language and Haskell. Very recently, Dezani-Ciancaglini et al. [9, 10] have proposed a minimal object-oriented lan- guage with session types. Our contribution to the problem of structured communication-based program- ming in general, and the verification of protocols in particular, is to transfer the concept of session types from the π-calculus to a multi-threaded functional language with side-effecting input/output operations. More precisely, we pro- 2 vide a static, decidable, discipline to ensure that a protocol implementation — code in a programming language — is correct with respect to its specification as a (set of) session type(s). This shows that static checking of session types could be added to a language such as Concurrent ML [31] (at least without imperative features) or Con- current Haskell [28] (cf. [27]). More generally, it is our view that by starting with typing concepts which are well-understood in the context of a theoretical calculus, and transferring them to a language which is closer to mainstream programming practice, we can achieve a powerful type system which is suited to practical programming while retaining the benefits of a sound foundation. The key technical steps which we have undertaken, in order to address the differences between a conventional programming style and the programming notation of the π-calculus, are as follows: • The operations on channels are independent terms, rather than prefixes of processes, so we have introduced a new form of typing judgement which describes the effect of a term on the channel environment (that is, the collection of channel names and their types). • We have separated naming and creation of channels, and because this in- troduces the possibility of aliasing, we represent the types of channels by indirection from the main type environment to the channel environment. In previous work [16], we have presented a language supporting typed func- tional programming with inter-process communication channels, but we only considered individual processes in isolation. In [36], we addressed collections of functional threads communicating via (session) channels created from shared names. Since we considered a concurrent scenario, the type system, compared with the previous one, is more complex. Here we introduce a type checking algorithm for the language, and present the proofs for subject reduction and type safety. The structure of the paper is as follows. In Section 2, we explain session types in connection with a progressively more sophisticated example. Sections 3 to 5 define the syntax, operational semantics, and type system of our language. In Section 6, we present the runtime safety result. In Sections 7 and 8, we discuss related and future work. The appendices contain the proofs of all the results in the paper. 3 2 Session Types and the Maths Server Input, Output, and Sequencing Types. First consider a server which provides a single operation: addition of integers. A suitable protocol can be defined as follows. The client sends two integers. The server sends an integer which is their sum, then closes the connection. The corresponding session type, from the server’s point of view, is S =?Int.?Int.!Int.End in which ? means receive, ! means send, dot (.) is sequencing, and End indicates the end of the session. Note that the type does not correspond precisely to the specification, because it does not state that the server calculates the sum. We only use typechecking to verify observance of the protocol, not functional correctness. The server communicates with a client on a channel called u; we think of the client engaging in a session with the server, using the channel u for communication. In our language, the server looks like this: server u = let x = receive u in let y = receive u in send x + y on u or more concisely: send ((receive u) + (receive u)) on u. Interchanging ? and ! yields the type describing the client side of the protocol: S =!Int.!Int.?Int.End and a client implementation uses the server to add two particular integers; the code may use x but cannot use the channel u except for closing it. client u = send 2 on u send 3 on u let x = receive u in code Branching Types. Now let us modify the protocol and add a negation operation to the server. The client selects one of two commands: add or neg. In the case of add the client then sends two integers and the server replies with an integer which is their sum. In the case of neg the client then sends an integer and the server 4 replies with an integer which is its negation. In either case, the server then closes the connection. The corresponding session type, for the server side, uses the constructor & (branch) to indicate that a choice is offered. S = &hadd :?Int.?Int.!Int.End, neg :?Int.!Int.Endi Both services must be implemented. We introduce a case construct: server u = case u of { add ⇒ send (receive u) + (receive u) on u neg ⇒ send −(receive u) on u } The type of the client side uses the dual constructor ⊕ (choice) to indicate that a choice is made. S = ⊕hadd :!Int.!Int.?Int.End, neg :!Int.?Int.Endi A client implementation makes a particular choice, for example: addClient u = select add on u negClient u = select neg on u send 2 on u send 7 on u send 3 on u let x = receive u in let x = receive u in code code Note that the type of the subsequent interaction depends on the label which is selected. In order for typechecking to be decidable, it is essential that the label add or neg appears as a literal name in the program; labels cannot result from computations. If we add a square root operation, sqrt, then as well as specifying that the argument and result have type Real, we must allow for the possibility of an error (resulting in the end of the session) if the client asks for the square root of a negative number.